标签:mvm mcafee rule vuln set faultline
内容没有多大意义,关键是打破砂锅的心。
/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [VulnSetID]
,[VulnsVersion]
,[VulnSetVersion]
,[Name]
,[Unnamed]
/*,[Description]
,[OrgID]
,[Creator]
,[CreateDate]
,[ModifiedDate]
,[VulnChecks]
,[EnableWhamScan]
,[ScanForWireless]
,[EnableShellScan]
,[StartWebCrawl]
,[SourceSifting]
,[SmartGuess]
,[SqlHack]
,[SourceDisclose]
,[EnableBruteForcing]
,[BruteForcing]
,[JavaAppletDecompile]
,[DirectoryBrowse]*/
,[VulnSetType]
,[VulnFilterXML] //该字段的内容连接到VulnFilter.xml
,[VulnFilterProcessedQuery] //该字段存储的是获取所有Vulns内容的查询语句。
,[State]
FROM [faultline].[ScanComponent].[VulnSet]
where Name=‘cmb_default‘
当初的的Vuln Set的设置是根据树形结构的勾选,可以通过VulnSetVulns表查询到Vulnset 所勾选的Vulns,但是当使用基于rule的方法之后,在该表中就没有了相应的内容。
一度以为查找错了表,后续想到和其他的Vulnset的不同点就是基于tree和rule的不同,验证后确认,详细查看了Vulnset表,有基于类型不同的字段。
///xml文件的内容
<VulnFilter>
<Filter expression="( {0} and {1} ) and ( {2} or {3} or {4} or {5} or {6} or {7} or {8} or {9} or {10} or {11} or {12} or {13} or {14} or {15} or {16} ) and ( {17} and {18} )">
<Condition>
<Column>Intrusive</Column>
<Operator>equals</Operator>
<Value>0</Value>
<ConditionID>0</ConditionID>
</Condition>
<Condition>
<Column>Module</Column>
<Operator>does not equal</Operator>
<Value>3</Value>
<ConditionID>1</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>6</Value>
<ConditionID>2</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>10</Value>
<ConditionID>3</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>12</Value>
<ConditionID>4</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>14</Value>
<ConditionID>5</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>31</Value>
<ConditionID>6</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>50</Value>
<ConditionID>7</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>32</Value>
<ConditionID>8</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>115</Value>
<ConditionID>9</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>30</Value>
<ConditionID>10</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>48</Value>
<ConditionID>11</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>16</Value>
<ConditionID>12</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>24</Value>
<ConditionID>13</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>70</Value>
<ConditionID>14</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>19</Value>
<ConditionID>15</ConditionID>
</Condition>
<Condition>
<Column>Category</Column>
<Operator>equals</Operator>
<Value>21</Value>
<ConditionID>16</ConditionID>
</Condition>
<Condition>
<Column>Vulnerability Name</Column>
<Operator>does not contain</Operator>
<Value>SSHv1 Protocol Enabled</Value>
<ConditionID>17</ConditionID>
</Condition>
<Condition>
<Column>Vulnerability Name</Column>
<Operator>does not contain</Operator>
<Value>Microsoft Internet Information Services Remote DoS</Value>
<ConditionID>18</ConditionID>
</Condition>
</Filter>
</VulnFilter>
use faultline
select * //后边就是[VulnFilterProcessedQuery]字段的值,对应的是我们建立的过滤规则
FROM Content.vwVulnCategoryVulnSelectable MasterView WHERE 1=1 AND ( (MasterView.Intrusive = 0) and (MasterView.ModuleID <> 3) ) and ( (MasterView.VulnCategoryID = 6) or (MasterView.VulnCategoryID = 10) or (MasterView.VulnCategoryID = 12) or (MasterView.VulnCategoryID = 14) or (MasterView.VulnCategoryID = 31) or (MasterView.VulnCategoryID = 50) or (MasterView.VulnCategoryID = 32) or (MasterView.VulnCategoryID = 115) or (MasterView.VulnCategoryID = 30) or (MasterView.VulnCategoryID = 48) or (MasterView.VulnCategoryID = 16) or (MasterView.VulnCategoryID = 24) or (MasterView.VulnCategoryID = 70) or (MasterView.VulnCategoryID = 19) or (MasterView.VulnCategoryID = 21) ) and ( ( isnull(MasterView.VulnName, ‘‘) not like ‘%SSHv1 Protocol Enabled%‘ Escape ‘!‘ ) and ( isnull(MasterView.VulnName, ‘‘) not like ‘%Microsoft Internet Information Services Remote DoS%‘ Escape ‘!‘ ) )
标签:mvm mcafee rule vuln set faultline
原文地址:http://mintank.blog.51cto.com/2544524/1632382
